01-22-2020 06:02 AM
Hello All
I hope you guys are all right.
I would like your help, if possible, on the procedures for regenerating CUCM certificates, more specifically those indicated below:
1- Tomcat Certificate:
If Tomcat is third-party signed ? I found a link but I didn't understand how to access the interface indicated on the procedure ''Submit CSR to CA'' and the following steps
https://supportforums.Cisco.com/docs/DOC-6119
2 - CallManager Certificate:
If you are in Mixed Mode Only and have already regenerated the CAPF – Update the CTL before proceeding Token - Tokenless ? I didn't understand that expression ''Token - Tokenless''
FYI : The platform is isolated from the internet or Cisco Cloud.
Thank you indvance for your support.
Regards.
01-22-2020 08:06 AM
If the cert are signed by external CA today and you need to renew them the process is to get new CSR generated from the server, sign it by the external CA and then upload it back on the application along with all root and intermediate certs if those are different. After the certs are uploaded restart appropriate service, i.e. Tomcat for the new cert to take affect.
By definition tokenless CTL cert:
Tokenless CTL is a new feature in CUCM Versions 10.0(1) and later that allows the encryption of call signaling and media for IP Phones without the need to use hardware USB eTokens and the CTL Client plugin, which was the requirement in previous CUCM releases.
When the cluster is placed into Mixed mode with the use of the CLI command, the CTL file is signed with the CCM+TFTP (server) certificate of the Publisher node, and there are no eToken certificates present in the CTL file.
Prior version required USB token which as of version 10 is no longer required.
01-22-2020 10:43 AM
Hello mnehar
In regards your question 1:
1- Tomcat Certificate:
The ''Submit CSR to CA'' section of the document you found is related to a Windows Server working as Certificate Authority CA, that is normally used for Lab purposes, in real world, is recommended to use an external CA like GoDaddy or Verisign to sign your certificates although they will charge you for it.
Thus the only procedure you need to follow if you decide to use this option is to generate the CSR and get the file to the external CA, they will come back to you with a Certificate chain, including the Root, any intermmidiate certs and the identity certificate which you need to upload into CUCM.
On the other hand, if you do not want to get charged, you can use any other internal CA that your company could have, like in this case a Windows Server CA, although you can get security warnings, when using the Tomcat cert with other applications.
Regards!
Ivan
01-27-2020 03:39 AM
Hello Chris and Ivan
Thank you for your support and information it's clear.
I just checked the certificate descriptions they are self-signed (Attached the capture) ,in my opinion I don't need to download the new CSR and validate it by an external CA.
Please check the attached capture and back to me asap, in yellow the certificates that have to be regenerated
Thank you again (Chris&Ivan) for your great support.
Regards.
NEHAR Mohamed.
01-27-2020 05:01 AM
Your screen shot did not show the actual certificates, just descriptions.
In either way if the tomcat cert is self signed then there is no need to get a CSR as with self signed certs if it's expiring you will just need to press the regenerate cert button and restart tomcat services.
01-27-2020 05:14 AM
Hello Chris
Thank you for your return and information
Yes I didn't put the names of the certificates because I work in a state company just to avoid publishing the names of the certificates.
Last question, For certificates registered with the trust certificate are they self-signed or not? can I regenerate them without using the CSR file extraction method?
Thank you indvance.
Regards.
NEHAR Mohamed.
01-27-2020 05:31 AM
Hello
I know I've asked too much
Do I have to regenerate all expired certificates for example (CAPF, CAPF-Trust, IPSEC, IPSEC-Trust .....) or only those with for example (CAPF,IPSEC.....) .
01-27-2020 05:56 AM
What do you mean by "For certificates registered with the trust certificate"?
Self signed certificates are issued by the server itself, so if you click on the certificate and check the "Issuer Name:" and it shows information of the server itself i.e. "L=chicago, ST=il, CN=cucm01, OU=IT, O=NM, C=US" then it's a self signed cert, otherwise if it shows something else, i.e. "VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5" then it's signed by external CA. The "Type" column on the certificate management page also indicates if the cert is Self-signed or CA-signed.
01-27-2020 06:57 AM
Hello Chris
Ok it's clear
Now , Do I have to regenerate all expired certificates for example (CAPF, CAPF-Trust, IPSEC, IPSEC-Trust .....) or only those with for example (CAPF,IPSEC.....)
Is that the certificates for example CAPF-Trust are part of the CAPF cert , if I regenerate the CAPF certificate.pem ''only'' the CAPF-Trust certificate will regenerate itself ?
Regards.
NEHAR Mohamed.
.
02-03-2020 03:46 AM
Hello
The regeneration of certificates (Tomcat,IPsec,CAPF,CallManager,ITL and TVS) is done successfully now I have trust certificates that expire in 2020 Can I delete them?
Regards.
NEHAR Mohamed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide